Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.6.0 Fails to Recover after WAN Issues

    Scheduled Pinned Locked Moved General pfSense Questions
    28 Posts 5 Posters 5.9k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      guardian Rebel Alliance @stephenw10
      last edited by

      @stephenw10 said in pfSense 2.6.0 Fails to Recover after WAN Issues:

      If you put a switch between the WAN NIC and the modem for example that would almost certainly eliminate this issue.
      Interesting idea... I don't have a spare switch at the moment, but I will keep that in mind.

      But testing to see what happens in a controlled situation such as manually reconnecting the WAN cable or rebooting the modem could give some useful data. If the WAN does not flap when doing that then it's something the modem is doing when it fails.

      Hi @stephenw10 OK, I took a few minutes to do some testing, and the TLDR; appears to be that there is something about the way the link on the cable modem comes back up after a reboot.

      What I did was to disconnect the cable for 10 minutes and reconnect it without rebooting the modem. The system recovered normally after a couple of minutes.

      Then I pulled the power on the modem for 30 seconds and let the modem reboot. The system did not properly recover until I pulled the plug and disconnected the modem from pfSense. I suspect that the modem is restoring link connectivity before the internet connectivity returns, but this is just a guess.

      FWIW, here is the log form both tests - I used logger as admin_user from the console to inject a few messages as comments for reference.

      Feb 12 03:49:19 pfsense admin_user[16594]: **********************************************************************
      Feb 12 03:50:04 pfsense kernel: em0: link state changed to DOWN
      Feb 12 03:50:04 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 03:50:05 pfsense php-fpm[22688]: /rc.linkup: DEVD Ethernet detached event for wan
      Feb 12 03:50:06 pfsense php-fpm[22688]: /rc.linkup: Removing static route for monitor 8.8.4.4 and adding a new route through 10.2.110.27
      Feb 12 03:50:06 pfsense check_reload_status[396]: Reloading filter
      Feb 12 03:50:07 pfsense admin_user[96112]: Disconnecting network cable from modem
      Feb 12 03:50:08 pfsense rc.gateway_alarm[99539]: >>> Gateway alarm: UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
      Feb 12 03:50:08 pfsense check_reload_status[396]: updating dyndns UDP_TOS_VPNV4
      Feb 12 03:50:08 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 03:50:08 pfsense check_reload_status[396]: Restarting OpenVPN tunnels/interfaces
      Feb 12 03:50:08 pfsense check_reload_status[396]: Reloading filter
      Feb 12 03:50:09 pfsense php-fpm[91128]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 03:50:09 pfsense php-fpm[91128]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use UDP_TOS_VPNV4.
      Feb 12 03:51:08 pfsense kernel: ovpnc1: link state changed to DOWN
      Feb 12 03:51:08 pfsense check_reload_status[396]: Reloading filter
      Feb 12 03:52:00 pfsense php[41801]: servicewatchdog_cron.php: Service Watchdog detected service openvpn stopped. Restarting openvpn (OpenVPN client: VPN STRONG UDP (1197))
      Feb 12 03:52:00 pfsense root[48667]: ~~~~~ 23/02/12-03:52:00-WAN is down-DNS restart not attempted.
      Feb 12 03:52:00 pfsense check_reload_status[396]: Reloading filter
      Feb 12 03:52:00 pfsense php[48999]: notify_monitor.php: Could not send the message to pfsense@qsv.ca -- Error: Failed to connect to ssl://shadow.mxrouting.net:465 [SMTP: Failed to connect socket: Network is unreachable (code: -1, response: )]
      Feb 12 03:53:42 pfsense php-fpm[359]: /packages/cron/cron_edit.php: Configuration Change: admin_user@172.16.50.16 (Local Database): Crontab item deleted via cron package
      Feb 12 03:53:42 pfsense check_reload_status[396]: Syncing firewall
      Feb 12 04:01:09 pfsense admin_user[99346]: Reconnecting network cable to modem
      Feb 12 04:01:15 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:01:15 pfsense kernel: em0: link state changed to UP
      Feb 12 04:01:16 pfsense php-fpm[22688]: /rc.linkup: DEVD Ethernet attached event for wan
      Feb 12 04:01:16 pfsense php-fpm[22688]: /rc.linkup: HOTPLUG: Configuring interface wan
      Feb 12 04:01:16 pfsense check_reload_status[396]: rc.newwanip starting em0
      Feb 12 04:01:16 pfsense php-fpm[22688]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:01:16 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:01:17 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: Info: starting on em0.
      Feb 12 04:01:17 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: on (IP address: 99.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em0).
      Feb 12 04:01:17 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:01:23 pfsense php-fpm[22688]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:01:23 pfsense check_reload_status[396]: updating dyndns wan
      Feb 12 04:01:57 pfsense php-fpm[22688]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:01:58 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:02:32 pfsense kernel: ovpnc1: link state changed to UP
      Feb 12 04:02:32 pfsense check_reload_status[396]: rc.newwanip starting ovpnc1
      Feb 12 04:02:33 pfsense php-fpm[4753]: /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
      Feb 12 04:02:33 pfsense php-fpm[4753]: /rc.newwanip: rc.newwanip: on (IP address: 10.28.110.16) (interface: UDP_TOS[opt28]) (real interface: ovpnc1).
      Feb 12 04:02:39 pfsense php-fpm[4753]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 99.xxx.xxx.1
      Feb 12 04:02:39 pfsense php-fpm[4753]: /rc.newwanip: Removing static route for monitor 8.8.4.4 and adding a new route through 10.28.110.16
      Feb 12 04:02:40 pfsense php-fpm[4753]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:02:40 pfsense php-fpm[4753]: /rc.newwanip: IP Address has changed, killing states on former IP Address 10.2.110.27.
      Feb 12 04:02:46 pfsense php-fpm[4753]: /rc.newwanip: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:02:46 pfsense php-fpm[4753]: /rc.newwanip: Creating rrd update script
      Feb 12 04:02:48 pfsense php-fpm[4753]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.2.110.27 ->  10.28.110.16 - Restarting packages.
      Feb 12 04:02:48 pfsense check_reload_status[396]: Starting packages
      Feb 12 04:02:49 pfsense php-fpm[91128]: /rc.start_packages: Restarting/Starting all packages.
      Feb 12 04:02:50 pfsense php-fpm[91128]: /rc.start_packages: Reloading syslog-ng for configuration sync
      Feb 12 04:02:50 pfsense supervise/syslog-ng[19818]: Daemon exited gracefully, not restarting; exitcode='0'
      Feb 12 04:02:55 pfsense php-fpm[91128]: /rc.start_packages: The command '/usr/local/etc/rc.d/syslog-ng.sh stop' returned exit code '1', the output was '' 
      Feb 12 04:02:56 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:02:56 pfsense kernel: em1.1: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.91: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.92: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.93: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.10: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.192: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.254: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.20: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.30: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.40: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1.50: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em0: promiscuous mode disabled
      Feb 12 04:02:56 pfsense kernel: em1: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.1: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.91: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.92: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.93: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.10: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.192: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.254: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.20: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.30: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.40: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em1.50: promiscuous mode enabled
      Feb 12 04:02:56 pfsense kernel: em0: promiscuous mode enabled
      Feb 12 04:02:59 pfsense lighttpd_pfb[4133]: [pfBlockerNG] DNSBL Webserver stopped
      Feb 12 04:02:59 pfsense tail_pfb[4327]: [pfBlockerNG] Firewall Filter Service stopped
      Feb 12 04:02:59 pfsense php_pfb[4627]: [pfBlockerNG] filterlog daemon stopped
      Feb 12 04:02:59 pfsense lighttpd_pfb[6129]: [pfBlockerNG] DNSBL Webserver started
      Feb 12 04:02:59 pfsense tail_pfb[9019]: [pfBlockerNG] Firewall Filter Service started
      Feb 12 04:03:00 pfsense php[6968]: [pfBlockerNG] DNSBL parser daemon started
      Feb 12 04:03:00 pfsense php[9363]: [pfBlockerNG] filterlog daemon started
      Feb 12 04:03:38 pfsense admin_user[45430]: Dashboard shows everything back online - Testing complete
      Feb 12 04:03:41 pfsense admin_user[47476]: **********************************************************************
      Feb 12 04:05:18 pfsense admin_user[16322]: **********************************************************************
      Feb 12 04:05:27 pfsense admin_user[18252]: reboooting modem
      Feb 12 04:05:34 pfsense kernel: em0: link state changed to DOWN
      Feb 12 04:05:34 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:05:35 pfsense php-fpm[4753]: /rc.linkup: DEVD Ethernet detached event for wan
      Feb 12 04:05:36 pfsense php-fpm[4753]: /rc.linkup: Removing static route for monitor 8.8.4.4 and adding a new route through 10.28.110.16
      Feb 12 04:05:36 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:05:38 pfsense rc.gateway_alarm[29450]: >>> Gateway alarm: UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
      Feb 12 04:05:38 pfsense check_reload_status[396]: updating dyndns UDP_TOS_VPNV4
      Feb 12 04:05:38 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:05:38 pfsense check_reload_status[396]: Restarting OpenVPN tunnels/interfaces
      Feb 12 04:05:38 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:05:39 pfsense php-fpm[38038]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:05:39 pfsense php-fpm[38038]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use UDP_TOS_VPNV4.
      Feb 12 04:05:46 pfsense admin_user[9863]: modem power off
      Feb 12 04:06:15 pfsense admin_user[75447]: modem power on
      Feb 12 04:06:19 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:06:19 pfsense kernel: em0: link state changed to UP
      Feb 12 04:06:20 pfsense php-fpm[359]: /rc.linkup: DEVD Ethernet attached event for wan
      Feb 12 04:06:20 pfsense php-fpm[359]: /rc.linkup: HOTPLUG: Configuring interface wan
      Feb 12 04:07:21 pfsense kernel: em0: link state changed to DOWN
      Feb 12 04:07:21 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:07:30 pfsense kernel: em0: link state changed to UP
      Feb 12 04:07:30 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:08:01 pfsense admin_user[85736]: modem all lights flashed
      Feb 12 04:08:26 pfsense kernel: em0: link state changed to DOWN
      Feb 12 04:08:26 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:08:33 pfsense kernel: em0: link state changed to UP
      Feb 12 04:08:33 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:09:52 pfsense php-fpm[359]: /rc.linkup: Default gateway setting Interface WAN_DHCP Gateway as default.
      Feb 12 04:09:52 pfsense php-fpm[359]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:09:52 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:09:58 pfsense php-fpm[359]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:09:58 pfsense check_reload_status[396]: updating dyndns wan
      Feb 12 04:10:07 pfsense check_reload_status[396]: rc.newwanip starting em0
      Feb 12 04:10:08 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: Info: starting on em0.
      Feb 12 04:10:08 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: on (IP address: 99.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em0).
      Feb 12 04:10:08 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:10:11 pfsense admin_user[46872]: modem status lights indicate connectivity restored
      Feb 12 04:10:33 pfsense php-fpm[359]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:10:33 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:10:33 pfsense php-fpm[74959]: /rc.linkup: DEVD Ethernet detached event for wan
      Feb 12 04:10:34 pfsense php-fpm[74959]: /rc.linkup: Removing static route for monitor 8.8.4.4 and adding a new route through 10.28.110.16
      Feb 12 04:10:34 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:10:34 pfsense php-fpm[22688]: /rc.linkup: DEVD Ethernet attached event for wan
      Feb 12 04:10:34 pfsense php-fpm[22688]: /rc.linkup: HOTPLUG: Configuring interface wan
      Feb 12 04:10:35 pfsense check_reload_status[396]: rc.newwanip starting em0
      Feb 12 04:10:36 pfsense php-fpm[359]: /rc.newwanip: rc.newwanip: Info: starting on em0.
      Feb 12 04:10:36 pfsense php-fpm[359]: /rc.newwanip: rc.newwanip: on (IP address: 99.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em0).
      Feb 12 04:10:36 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:10:37 pfsense rc.gateway_alarm[76647]: >>> Gateway alarm: UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
      Feb 12 04:10:37 pfsense check_reload_status[396]: updating dyndns UDP_TOS_VPNV4
      Feb 12 04:10:37 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:10:37 pfsense check_reload_status[396]: Restarting OpenVPN tunnels/interfaces
      Feb 12 04:10:37 pfsense php-fpm[22688]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:10:37 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:10:38 pfsense php-fpm[74959]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:10:38 pfsense php-fpm[74959]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use UDP_TOS_VPNV4.
      Feb 12 04:11:11 pfsense php-fpm[22688]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:11:12 pfsense check_reload_status[396]: updating dyndns wan
      Feb 12 04:11:46 pfsense php-fpm[22688]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:11:47 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:11:47 pfsense php-fpm[38038]: /rc.linkup: DEVD Ethernet detached event for wan
      Feb 12 04:11:48 pfsense php-fpm[38038]: /rc.linkup: Removing static route for monitor 8.8.4.4 and adding a new route through 10.28.110.16
      Feb 12 04:11:48 pfsense php-fpm[17557]: /rc.linkup: DEVD Ethernet attached event for wan
      Feb 12 04:11:48 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:11:48 pfsense php-fpm[17557]: /rc.linkup: HOTPLUG: Configuring interface wan
      Feb 12 04:11:48 pfsense check_reload_status[396]: rc.newwanip starting em0
      Feb 12 04:11:48 pfsense php-fpm[17557]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:11:48 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:11:49 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: Info: starting on em0.
      Feb 12 04:11:49 pfsense php-fpm[91128]: /rc.newwanip: rc.newwanip: on (IP address: 99.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em0).
      Feb 12 04:11:49 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:11:50 pfsense rc.gateway_alarm[53702]: >>> Gateway alarm: UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
      Feb 12 04:11:50 pfsense check_reload_status[396]: updating dyndns UDP_TOS_VPNV4
      Feb 12 04:11:50 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:11:50 pfsense check_reload_status[396]: Restarting OpenVPN tunnels/interfaces
      Feb 12 04:11:51 pfsense php-fpm[22688]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:11:51 pfsense php-fpm[22688]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use UDP_TOS_VPNV4.
      Feb 12 04:12:23 pfsense php-fpm[17557]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:12:23 pfsense check_reload_status[396]: updating dyndns wan
      Feb 12 04:12:24 pfsense admin_user[32234]: dashboard indicates WAN Unknown / OpenVPN OFFLINE
      Feb 12 04:12:58 pfsense php-fpm[17557]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:12:58 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:15:00 pfsense php[31842]: [pfBlockerNG] Starting cron process.
      Feb 12 04:16:08 pfsense admin_user[63130]: pfBlocker Update started / Dashboard indicates WAN/OpenVPN Down
      Feb 12 04:16:14 pfsense kernel: em0: link state changed to DOWN
      Feb 12 04:16:14 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:16:15 pfsense php-fpm[38038]: /rc.linkup: DEVD Ethernet detached event for wan
      Feb 12 04:16:16 pfsense php-fpm[38038]: /rc.linkup: Removing static route for monitor 8.8.4.4 and adding a new route through 10.28.110.16
      Feb 12 04:16:16 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:16:18 pfsense rc.gateway_alarm[24348]: >>> Gateway alarm: UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
      Feb 12 04:16:18 pfsense check_reload_status[396]: updating dyndns UDP_TOS_VPNV4
      Feb 12 04:16:18 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:16:18 pfsense check_reload_status[396]: Restarting OpenVPN tunnels/interfaces
      Feb 12 04:16:18 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:16:19 pfsense php-fpm[22688]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:16:19 pfsense php-fpm[22688]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use UDP_TOS_VPNV4.
      Feb 12 04:16:29 pfsense admin_user[88035]: Cable disconnected from modem
      Feb 12 04:16:54 pfsense admin_user[85547]: Cable reconnected to modem
      Feb 12 04:16:55 pfsense check_reload_status[396]: Linkup starting em0
      Feb 12 04:16:55 pfsense kernel: em0: link state changed to UP
      Feb 12 04:16:56 pfsense php-fpm[76071]: /rc.linkup: DEVD Ethernet attached event for wan
      Feb 12 04:16:56 pfsense php-fpm[76071]: /rc.linkup: HOTPLUG: Configuring interface wan
      Feb 12 04:16:56 pfsense check_reload_status[396]: rc.newwanip starting em0
      Feb 12 04:16:56 pfsense php-fpm[76071]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:16:56 pfsense check_reload_status[396]: Restarting IPsec tunnels
      Feb 12 04:16:57 pfsense php-fpm[4753]: /rc.newwanip: rc.newwanip: Info: starting on em0.
      Feb 12 04:16:57 pfsense php-fpm[4753]: /rc.newwanip: rc.newwanip: on (IP address: 99.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em0).
      Feb 12 04:16:57 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:17:03 pfsense php-fpm[76071]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:17:03 pfsense check_reload_status[396]: updating dyndns wan
      Feb 12 04:17:38 pfsense php-fpm[76071]: /rc.linkup: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:17:38 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:18:24 pfsense kernel: ovpnc1: link state changed to DOWN
      Feb 12 04:18:24 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:18:25 pfsense kernel: ovpnc1: link state changed to UP
      Feb 12 04:18:25 pfsense check_reload_status[396]: rc.newwanip starting ovpnc1
      Feb 12 04:18:27 pfsense php-fpm[17557]: /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
      Feb 12 04:18:27 pfsense php-fpm[17557]: /rc.newwanip: rc.newwanip: on (IP address: 10.16.110.16) (interface: UDP_TOS[opt28]) (real interface: ovpnc1).
      Feb 12 04:18:37 pfsense php-fpm[17557]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 99.xxx.xxx.1
      Feb 12 04:18:38 pfsense php-fpm[17557]: /rc.newwanip: Removing static route for monitor 8.8.4.4 and adding a new route through 10.16.110.16
      Feb 12 04:18:38 pfsense php-fpm[17557]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
      Feb 12 04:18:38 pfsense php-fpm[17557]: /rc.newwanip: IP Address has changed, killing states on former IP Address 10.28.110.16.
      Feb 12 04:18:43 pfsense php[31842]: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
      Feb 12 04:18:43 pfsense php[31842]: 
      Feb 12 04:18:45 pfsense php-fpm[17557]: /rc.newwanip: The command '/usr/sbin/arp -s '172.16.50.1' '00:28:1a:xx:xx:xx'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' 
      Feb 12 04:18:45 pfsense php-fpm[17557]: /rc.newwanip: Creating rrd update script
      Feb 12 04:18:47 pfsense php-fpm[17557]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.28.110.16 ->  10.16.110.16 - Restarting packages.
      Feb 12 04:18:47 pfsense check_reload_status[396]: Starting packages
      Feb 12 04:18:48 pfsense php-fpm[38038]: /rc.start_packages: Restarting/Starting all packages.
      Feb 12 04:18:49 pfsense php-fpm[38038]: /rc.start_packages: Reloading syslog-ng for configuration sync
      Feb 12 04:18:49 pfsense supervise/syslog-ng[17474]: Daemon exited gracefully, not restarting; exitcode='0'
      Feb 12 04:18:54 pfsense php-fpm[38038]: /rc.start_packages: The command '/usr/local/etc/rc.d/syslog-ng.sh stop' returned exit code '1', the output was '' 
      Feb 12 04:18:55 pfsense check_reload_status[396]: Reloading filter
      Feb 12 04:18:55 pfsense kernel: em1.1: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.91: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.92: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.93: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.10: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.192: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.254: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.20: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.30: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.40: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1.50: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em0: promiscuous mode disabled
      Feb 12 04:18:55 pfsense kernel: em1: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.1: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.91: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.92: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.93: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.10: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.192: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.254: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.20: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.30: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.40: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em1.50: promiscuous mode enabled
      Feb 12 04:18:55 pfsense kernel: em0: promiscuous mode enabled
      Feb 12 04:18:55 pfsense admin_user[51191]: Dashboard shows WAN/OPENVPN now oline
      Feb 12 04:18:57 pfsense tail_pfb[32202]: [pfBlockerNG] Firewall Filter Service stopped
      Feb 12 04:18:57 pfsense php_pfb[32309]: [pfBlockerNG] filterlog daemon stopped
      Feb 12 04:18:58 pfsense lighttpd_pfb[33446]: [pfBlockerNG] DNSBL Webserver stopped
      Feb 12 04:18:58 pfsense lighttpd_pfb[35056]: [pfBlockerNG] DNSBL Webserver started
      Feb 12 04:18:58 pfsense tail_pfb[38719]: [pfBlockerNG] Firewall Filter Service started
      Feb 12 04:18:58 pfsense php[35803]: [pfBlockerNG] DNSBL parser daemon started
      Feb 12 04:18:59 pfsense php[39232]: [pfBlockerNG] filterlog daemon started
      Feb 12 04:21:19 pfsense admin_user[22342]: pfBlocker-- Unable to apply rules. Outbound interface option not configured.
      Feb 12 04:21:33 pfsense admin_user[23930]: System Normal - testing complete
      Feb 12 04:21:40 pfsense admin_user[24890]: **********************************************************************
      

      Any ideas? Any way of monitoring status registers on the WAN NIC? It is also possible that some IPv6 signalling is expected, but I have IPv6 turned off on interrfaces for security reasons as I don't trust myself to deal with it properly.

      P.S: Rogers has been quite scary in the past with IPv6 in the past - at one point a couple of years back, default configuration of their modem and default configuration of Windows had everyone's shares exposed to the internet.

      If you find my post useful, please give it a thumbs up!
      pfSense 2.8.0-RELEASE

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        I would test putting a switch between the modem and pfSense and seeing if that eliminates the issue when rebooting the modem. I would expect it to.

        G 1 Reply Last reply Reply Quote 0
        • G Offline
          guardian Rebel Alliance @stephenw10
          last edited by

          @stephenw10 said in pfSense 2.6.0 Fails to Recover after WAN Issues:

          I would test putting a switch between the modem and pfSense and seeing if that eliminates the issue when rebooting the modem. I would expect it to.

          At the moment I don't have a spare switch available to do that with. Any ideas as to how I might test what is going on (shell script or small php script)? I deactivated my watchdog scripts in favor of the watchdog plugin to see how that works. I have noticed a couple of short gateway issues, but the didn't seem to persist.

          I was thinking maybe if there was a loss of WAN connectivity for 5 minutes, but the WAN showed as up to down the interface for say 10-15 seconds and then bring it up again.

          What is the best FreeBSD way to do that? Based on your knowledge of how the system works, is pfSense likely to bring the WAN back up? If so how quickly?

          Thoughts?

          If you find my post useful, please give it a thumbs up!
          pfSense 2.8.0-RELEASE

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @guardian
            last edited by

            @guardian

            FWIW, I'm on Rogers and find my service is extremely reliable. One thing you might want to check is the hardware. A flaky (pardon the technical jargon) computer or bad patch cord could cause problems.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            G 1 Reply Last reply Reply Quote 1
            • stephenw10S Online
              stephenw10 Netgate Administrator
              last edited by

              You shouldn't need to do more than re-apply the WAN config.
              So I'd first try: /etc/rc.linkup start wan

              G 1 Reply Last reply Reply Quote 1
              • G Offline
                guardian Rebel Alliance @JKnott
                last edited by

                @jknott said in pfSense 2.6.0 Fails to Recover after WAN Issues:

                @guardian

                FWIW, I'm on Rogers and find my service is extremely reliable. One thing you might want to check is the hardware. A flaky (pardon the technical jargon) computer or bad patch cord could cause problems.

                @jknott thanks for the reply. I agree the service is very reliable. I can go for months without a problem, then something happens (based on timing, I think it is likely maintenance), the service goes out, and doesn't recover. When I reboot the router, it appears that pfSense doesn't always come back without intervention.. When I did a reboot to test, I found in the trail that I did that pfSense did not come back online until I briefly disconnected the network cable briefly and then reconnected it. That leads me to the conclusion that there is something going on either at the output of the modem, or with the WAN port.

                BTW what speed service/modem do you have. I have GB/Hitron CPDA-4582U.

                If you find my post useful, please give it a thumbs up!
                pfSense 2.8.0-RELEASE

                JKnottJ 1 Reply Last reply Reply Quote 0
                • G Offline
                  guardian Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10 said in pfSense 2.6.0 Fails to Recover after WAN Issues:

                  You shouldn't need to do more than re-apply the WAN config.
                  So I'd first try: /etc/rc.linkup start wan

                  @stephenw10 - Thanks.... I'll keep that in mind. So far no further issues since my last report. I may go months (or minutes) before the next failure.

                  Any idea how I can test if dpinger is functioning correctly? I was thinking about a watchdog that would (assuming dpinger is OK) apply /etc/rc.linkup start wan every 5 minutes until things came back online. Thoughts?

                  I'll likely pend this till the next time that I have issues.... likely be on a different version of pfSense by that time.

                  If you find my post useful, please give it a thumbs up!
                  pfSense 2.8.0-RELEASE

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    guardian Rebel Alliance
                    last edited by

                    @guardian said in pfSense 2.6.0 Fails to Recover after WAN Issues:
                    @stephenw10 Things have been working well until today. Since you are part of the Netgate team, I though I should ping you on this issue since you were involved before, and maybe someone else might have some bright ideas as well. I've included the log from the relevent time frame at the bottom of this post.

                    It appears that the watchdog plugin is not very useful at restarting the OpenVPN client. I had some issues on the WAN, that screwed up the VPN client: (I think this is what started it):

                    Mar 2 14:46:14 rc.gateway_alarm 5241 >>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:593.648ms RTTsd:1382.451ms Loss:0%)

                    The WAN recovered, but the VPN didn't recover, which caused my wife to ask me to investigate. The WAN was UP, VPN was DOWN.

                    I looked in the OpenVPN log and found this:

                    Mar 2 17:10:40	openvpn	48841	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:10:40	openvpn	48841	MANAGEMENT: Client connected from /var/etc/openvpn/server4/sock
                    Mar 2 17:10:40	openvpn	73327	MANAGEMENT: Client disconnected
                    Mar 2 17:10:40	openvpn	73327	MANAGEMENT: CMD 'quit'
                    Mar 2 17:10:39	openvpn	73327	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:10:39	openvpn	73327	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                    Mar 2 17:09:53	openvpn	48841	159.203.192.10:54092 SIGUSR1[soft,connection-reset] received, client-instance restarting
                    Mar 2 17:09:53	openvpn	48841	159.203.192.10:54092 Connection reset, restarting [0]
                    Mar 2 17:09:53	openvpn	48841	159.203.192.10:54092 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                    Mar 2 17:09:53	openvpn	48841	TCP connection established with [AF_INET]159.203.192.10:54092
                    Mar 2 17:09:53	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                    Mar 2 17:09:53	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                    Mar 2 17:09:53	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                    Mar 2 17:09:53	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                    Mar 2 17:09:46	openvpn	48841	107.170.253.8:57982 SIGUSR1[soft,connection-reset] received, client-instance restarting
                    Mar 2 17:09:46	openvpn	48841	107.170.253.8:57982 Connection reset, restarting [0]
                    Mar 2 17:09:46	openvpn	48841	107.170.253.8:57982 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                    Mar 2 17:09:46	openvpn	48841	TCP connection established with [AF_INET]107.170.253.8:57982
                    Mar 2 17:09:46	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                    Mar 2 17:09:46	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                    Mar 2 17:09:46	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                    Mar 2 17:09:46	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                    Mar 2 17:09:37	openvpn	48841	MANAGEMENT: Client disconnected
                    Mar 2 17:09:37	openvpn	48841	MANAGEMENT: CMD 'quit'
                    Mar 2 17:09:37	openvpn	48841	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:09:37	openvpn	48841	MANAGEMENT: Client connected from /var/etc/openvpn/server4/sock
                    Mar 2 17:09:37	openvpn	73327	MANAGEMENT: Client disconnected
                    Mar 2 17:09:37	openvpn	73327	MANAGEMENT: CMD 'quit'
                    Mar 2 17:09:36	openvpn	73327	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:09:36	openvpn	73327	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                    Mar 2 17:08:34	openvpn	48841	MANAGEMENT: Client disconnected
                    Mar 2 17:08:34	openvpn	48841	MANAGEMENT: CMD 'quit'
                    Mar 2 17:08:34	openvpn	48841	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:08:34	openvpn	48841	MANAGEMENT: Client connected from /var/etc/openvpn/server4/sock
                    Mar 2 17:08:34	openvpn	73327	MANAGEMENT: Client disconnected
                    Mar 2 17:08:34	openvpn	73327	MANAGEMENT: CMD 'quit'
                    Mar 2 17:08:34	openvpn	73327	MANAGEMENT: CMD 'status 2'
                    Mar 2 17:08:33	openvpn	73327	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                    Mar 2 17:07:31	openvpn	48841	MANAGEMENT: Client disconnected
                    

                    Not sure if that gives any clue.

                    I was able to restart the VPN from the GUI, and it stayed up just fine. That tells me that there is something very different about the pfSense Auto restart and the GUI restart.

                    I think my little bash script that uses pfSsh.php playback svc restart openvpn, and AFAIK it was successful in solving this issue (when the WAN doesn't screw up too badly. This has been an issue for me for at least 5 years, and when I put in the watchdog script, it seemed to go away.

                    P.S: Is there any other way than pfSsh.php playback gatewaystatus to get the status in a more machine readable form that would be easier to work with in a bash script.?

                    Mar 2 06:15:00	php	80917	[pfBlockerNG] Starting cron process.
                    Mar 2 06:16:30	php	80917	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 07:15:00	php	97642	[pfBlockerNG] Starting cron process.
                    Mar 2 07:16:00	sshguard	90642	Exiting on signal.
                    Mar 2 07:16:00	sshguard	75986	Now monitoring attacks.
                    Mar 2 07:16:50	php	97642	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 08:15:00	php	1249	[pfBlockerNG] Starting cron process.
                    Mar 2 08:17:02	php	1249	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 09:15:00	php	12121	[pfBlockerNG] Starting cron process.
                    Mar 2 09:17:04	php	12121	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 10:15:00	php	18697	[pfBlockerNG] Starting cron process.
                    Mar 2 10:17:06	php	18697	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 11:15:00	php	85155	[pfBlockerNG] Starting cron process.
                    Mar 2 11:16:40	php	85155	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 12:15:00	php	91791	[pfBlockerNG] Starting cron process.
                    Mar 2 12:17:17	php	91791	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 12:30:00	php	86652	rc.update_urltables: /etc/rc.update_urltables: Starting up.
                    Mar 2 12:30:00	php	86652	rc.update_urltables: /etc/rc.update_urltables: Sleeping for 33 seconds.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_MALIP1HR_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_MALIP6HR_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_BBC177IP_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_ULTIMATE_IP_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_PRI1_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_PRI5_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_PRI3_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_PRI2_v4 does not need updating.
                    Mar 2 12:30:33	php	86652	rc.update_urltables: /etc/rc.update_urltables: pfB_PRI4_v4 does not need updating.
                    Mar 2 13:08:00	sshguard	75986	Exiting on signal.
                    Mar 2 13:08:00	sshguard	49929	Now monitoring attacks.
                    Mar 2 13:15:00	php	62501	[pfBlockerNG] Starting cron process.
                    Mar 2 13:16:58	php	62501	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 14:15:00	php	14690	[pfBlockerNG] Starting cron process.
                    Mar 2 14:16:56	php	14690	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 14:46:14	rc.gateway_alarm	5241	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:593.648ms RTTsd:1382.451ms Loss:0%)
                    Mar 2 14:46:14	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 14:46:14	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 14:46:14	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 14:46:14	check_reload_status	396	Reloading filter
                    Mar 2 14:46:14	rc.gateway_alarm	7363	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:644.890ms RTTsd:1423.938ms Loss:0%)
                    Mar 2 14:46:14	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 14:46:14	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 14:46:14	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 14:46:14	check_reload_status	396	Reloading filter
                    Mar 2 14:46:15	php-fpm	17557	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 14:46:15	php-fpm	17557	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 14:46:15	php-fpm	22688	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 14:46:15	php-fpm	22688	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 14:46:45	rc.gateway_alarm	48094	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:0 RTT:371.699ms RTTsd:1075.358ms Loss:0%)
                    Mar 2 14:46:45	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 14:46:45	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 14:46:45	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 14:46:45	check_reload_status	396	Reloading filter
                    Mar 2 14:46:45	rc.gateway_alarm	49922	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:325.207ms RTTsd:1034.753ms Loss:0%)
                    Mar 2 14:46:45	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 14:46:45	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 14:46:45	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 14:46:45	check_reload_status	396	Reloading filter
                    Mar 2 14:46:46	php-fpm	38038	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 14:46:46	php-fpm	38038	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 14:46:46	php-fpm	91128	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 14:46:46	php-fpm	91128	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:15:00	php	54242	[pfBlockerNG] Starting cron process.
                    Mar 2 15:16:34	php	54242	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 15:41:07	rc.gateway_alarm	26554	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:895.323ms RTTsd:2288.898ms Loss:0%)
                    Mar 2 15:41:07	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:41:07	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:41:07	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:41:07	check_reload_status	396	Reloading filter
                    Mar 2 15:41:07	rc.gateway_alarm	28826	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:829.265ms RTTsd:2134.126ms Loss:0%)
                    Mar 2 15:41:07	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:41:07	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:41:07	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:41:07	check_reload_status	396	Reloading filter
                    Mar 2 15:41:08	php-fpm	76071	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:41:08	php-fpm	76071	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:41:08	php-fpm	91128	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:41:08	php-fpm	91128	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 15:42:10	rc.gateway_alarm	19063	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:34.543ms RTTsd:101.709ms Loss:0%)
                    Mar 2 15:42:10	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:42:10	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:42:10	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:42:10	check_reload_status	396	Reloading filter
                    Mar 2 15:42:10	rc.gateway_alarm	20991	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:0 RTT:50.193ms RTTsd:102.034ms Loss:0%)
                    Mar 2 15:42:10	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:42:10	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:42:10	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:42:10	check_reload_status	396	Reloading filter
                    Mar 2 15:42:11	php-fpm	22688	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:42:11	php-fpm	22688	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:42:11	php-fpm	38038	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:42:11	php-fpm	38038	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 15:48:40	rc.gateway_alarm	63161	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:688.657ms RTTsd:1888.751ms Loss:0%)
                    Mar 2 15:48:41	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:48:41	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:48:41	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:48:41	check_reload_status	396	Reloading filter
                    Mar 2 15:48:41	rc.gateway_alarm	65610	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:689.002ms RTTsd:1853.070ms Loss:0%)
                    Mar 2 15:48:41	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:48:41	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:48:41	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:48:41	check_reload_status	396	Reloading filter
                    Mar 2 15:48:42	php-fpm	76071	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:48:42	php-fpm	76071	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:48:42	php-fpm	38038	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:48:42	php-fpm	38038	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 15:49:45	rc.gateway_alarm	58088	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:29.572ms RTTsd:100.481ms Loss:0%)
                    Mar 2 15:49:45	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:49:45	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:49:45	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:49:45	check_reload_status	396	Reloading filter
                    Mar 2 15:49:46	rc.gateway_alarm	60336	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:0 RTT:52.651ms RTTsd:111.949ms Loss:0%)
                    Mar 2 15:49:46	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:49:46	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:49:46	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:49:46	check_reload_status	396	Reloading filter
                    Mar 2 15:49:46	php-fpm	74959	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:49:46	php-fpm	74959	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:49:47	php-fpm	22688	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:49:47	php-fpm	22688	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 15:53:43	rc.gateway_alarm	61390	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:958.099ms RTTsd:2407.596ms Loss:0%)
                    Mar 2 15:53:43	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:53:43	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:53:43	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:53:43	check_reload_status	396	Reloading filter
                    Mar 2 15:53:43	rc.gateway_alarm	63840	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:984.444ms RTTsd:2424.976ms Loss:0%)
                    Mar 2 15:53:43	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:53:43	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:53:43	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:53:43	check_reload_status	396	Reloading filter
                    Mar 2 15:53:44	php-fpm	17557	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:53:44	php-fpm	17557	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:53:44	php-fpm	22688	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:53:44	php-fpm	22688	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 15:54:47	rc.gateway_alarm	53929	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:34.745ms RTTsd:113.154ms Loss:0%)
                    Mar 2 15:54:47	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 15:54:47	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:54:47	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:54:47	check_reload_status	396	Reloading filter
                    Mar 2 15:54:47	rc.gateway_alarm	57000	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:0 RTT:52.041ms RTTsd:113.582ms Loss:0%)
                    Mar 2 15:54:47	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 15:54:47	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 15:54:47	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 15:54:47	check_reload_status	396	Reloading filter
                    Mar 2 15:54:48	php-fpm	17557	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:54:48	php-fpm	17557	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 15:54:48	php-fpm	74959	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 15:54:48	php-fpm	74959	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 16:15:00	php	96721	[pfBlockerNG] Starting cron process.
                    Mar 2 16:16:44	php	96721	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                    Mar 2 16:19:49	rc.gateway_alarm	60859	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:1 RTT:1012.870ms RTTsd:2509.895ms Loss:0%)
                    Mar 2 16:19:49	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 16:19:49	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 16:19:49	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 16:19:49	check_reload_status	396	Reloading filter
                    Mar 2 16:19:49	rc.gateway_alarm	63012	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:1089.423ms RTTsd:2611.882ms Loss:0%)
                    Mar 2 16:19:49	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 16:19:49	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 16:19:49	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 16:19:49	check_reload_status	396	Reloading filter
                    Mar 2 16:19:50	php-fpm	74959	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 16:19:50	php-fpm	74959	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 16:19:50	php-fpm	76071	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 16:19:50	php-fpm	76071	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 16:20:05	rc.gateway_alarm	92576	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:1413.616ms RTTsd:2911.066ms Loss:22%)
                    Mar 2 16:20:05	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 16:20:05	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 16:20:05	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 16:20:05	check_reload_status	396	Reloading filter
                    Mar 2 16:20:06	php-fpm	74959	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 16:20:06	php-fpm	74959	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 16:20:54	rc.gateway_alarm	19106	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:41.868ms RTTsd:133.746ms Loss:0%)
                    Mar 2 16:20:54	check_reload_status	396	updating dyndns WAN_DHCP
                    Mar 2 16:20:54	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 16:20:54	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 16:20:54	check_reload_status	396	Reloading filter
                    Mar 2 16:20:55	php-fpm	76071	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 16:20:55	php-fpm	76071	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
                    Mar 2 16:21:01	rc.gateway_alarm	79201	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
                    Mar 2 16:21:01	check_reload_status	396	updating dyndns VPN_UDP_TOS_VPNV4
                    Mar 2 16:21:01	check_reload_status	396	Restarting IPsec tunnels
                    Mar 2 16:21:01	check_reload_status	396	Restarting OpenVPN tunnels/interfaces
                    Mar 2 16:21:01	check_reload_status	396	Reloading filter
                    Mar 2 16:21:02	php-fpm	38038	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 16:21:02	php-fpm	38038	/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPN_UDP_TOS_VPNV4.
                    Mar 2 16:50:57	root	55932	rc.update_bogons.sh is beginning the update cycle.
                    Mar 2 16:51:03	root	62791	Bogons V4 file downloaded: 14 addresses added.
                    Mar 2 16:51:03	root	62791	Bogons V4 file downloaded: 6 addresses deleted.
                    Mar 2 16:51:03	root	65183	Bogons V6 file downloaded: 45 addresses added.
                    Mar 2 16:51:03	root	65183	Bogons V6 file downloaded: 13 addresses deleted.
                    Mar 2 16:51:03	root	65617	rc.update_bogons.sh is ending the update cycle.
                    Mar 2 17:11:29	php-fpm	4753	/index.php: Successful login for user 'Barry_secure' from: 172.16.50.16 (Local Database)
                    Mar 2 17:13:15	php-fpm	74959	OpenVPN terminate old pid: 70501
                    Mar 2 17:13:15	kernel		ovpnc1: link state changed to DOWN
                    Mar 2 17:13:15	check_reload_status	396	Reloading filter
                    Mar 2 17:13:15	php-fpm	74959	OpenVPN PID written: 23195
                    Mar 2 17:13:15	check_reload_status	396	Reloading filter
                    Mar 2 17:13:15	kernel		ovpnc1: link state changed to UP
                    Mar 2 17:13:15	check_reload_status	396	rc.newwanip starting ovpnc1
                    Mar 2 17:13:16	php-fpm	91128	/rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
                    Mar 2 17:13:16	php-fpm	91128	/rc.newwanip: rc.newwanip: on (IP address: 10.8.110.23) (interface: VPN_UDP_TOS[opt28]) (real interface: ovpnc1).
                    Mar 2 17:13:34	php-fpm	91128	/rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 99.ZZZ.ZZZ.1
                    Mar 2 17:13:34	php-fpm	91128	/rc.newwanip: Removing static route for monitor 8.8.4.4 and adding a new route through 10.8.110.23
                    Mar 2 17:13:34	php-fpm	91128	/rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
                    Mar 2 17:13:34	php-fpm	91128	/rc.newwanip: IP Address has changed, killing states on former IP Address 10.16.110.16.
                    Mar 2 17:13:41	php-fpm	91128	/rc.newwanip: The command '/usr/sbin/arp -s '172.16.50.1' '00:xx:xx:xx:xx:05'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted'
                    Mar 2 17:13:42	php-fpm	91128	/rc.newwanip: Creating rrd update script
                    Mar 2 17:13:44	php-fpm	91128	/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.16.110.16 -> 10.8.110.23 - Restarting packages.
                    Mar 2 17:13:44	check_reload_status	396	Starting packages
                    Mar 2 17:13:45	php-fpm	74959	/rc.start_packages: Restarting/Starting all packages.
                    Mar 2 17:13:45	php-fpm	74959	/rc.start_packages: Reloading syslog-ng for configuration sync
                    Mar 2 17:13:46	supervise/syslog-ng	43274	Daemon exited gracefully, not restarting; exitcode='0'
                    Mar 2 17:13:50	php-fpm	74959	/rc.start_packages: The command '/usr/local/etc/rc.d/syslog-ng.sh stop' returned exit code '1', the output was ''
                    Mar 2 17:13:52	check_reload_status	396	Reloading filter
                    

                    If you find my post useful, please give it a thumbs up!
                    pfSense 2.8.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Online
                      stephenw10 Netgate Administrator
                      last edited by stephenw10

                      Mmm, Ok so right at the end of that log is where you login and restart the VPN client?

                      The service watchdog doesn't run at any time because the OpenVPN client doesn't ever die. It just keeps trying to connect which is what it's supposed to do.

                      Your WAN get's marked down numerous times during the 11 hours shown in that log but you can see each time the WAN gateway comes back up and so does the VPN gateway. The pings times to the monitred IP go back down to <50ms:

                      Mar 2 16:20:54	rc.gateway_alarm	19106	>>> Gateway alarm: WAN_DHCP (Addr:8.8.8.8 Alarm:0 RTT:41.868ms RTTsd:133.746ms Loss:0%)
                      

                      Until the last time where it comes back up but it at 100% packet loss:

                      Mar 2 16:21:01	rc.gateway_alarm	79201	>>> Gateway alarm: VPN_UDP_TOS_VPNV4 (Addr:8.8.4.4 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
                      

                      We don't have the OpenVPN logs for that time but I imagine they have been repeating since then so it would be that 'Bad encapsulated packet length from peer' error followed by 'Connection reset, restarting [0]'.

                      Is that OpenVPN client connecting to the same remote address every time or a pool or remote addresses?

                      It's probably trying to connect to something that isn't an OpenVPN server. It's a TCP connection, what's the remote port?

                      G 1 Reply Last reply Reply Quote 0
                      • G Offline
                        guardian Rebel Alliance @stephenw10
                        last edited by

                        @stephenw10 said in pfSense 2.6.0 Fails to Recover after WAN Issues:

                        We don't have the OpenVPN logs for that time but I imagine they have been repeating since then so it would be that 'Bad encapsulated packet length from peer' error followed by 'Connection reset, restarting [0]'.

                        I'm getting a ton of messages like this that are filling the log. (Verbosity Level is set to 4). It turns out that this is my VPN Access server running on port 443 TCP

                        Mar 2 17:08:34	openvpn	48841	MANAGEMENT: Client disconnected
                        Mar 2 17:08:34	openvpn	48841	MANAGEMENT: CMD 'quit'
                        Mar 2 17:08:34	openvpn	48841	MANAGEMENT: CMD 'status 2'
                        Mar 2 17:08:34	openvpn	48841	MANAGEMENT: Client connected from /var/etc/openvpn/server4/sock
                        

                        and this is my UDP access server

                        Mar 3 03:43:40	openvpn	73327	MANAGEMENT: Client disconnected
                        Mar 3 03:43:40	openvpn	73327	MANAGEMENT: CMD 'quit'
                        Mar 3 03:43:40	openvpn	73327	MANAGEMENT: CMD 'status 2'
                        Mar 3 03:43:40	openvpn	73327	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                        

                        Are these significant? What are they telling me? Do I need to be worried about these?
                        (They are not being used as I wasn't away and needing them).

                        I see this on the VPN Client that is the subject of this discussion. Is this an attack?

                        Mar 3 03:08:24	openvpn	23195	PID_ERR replay-window backtrack occurred [42] [SSL-0] [0__00_____0_0_0________________00000000000_000000000000000000000] 0:374099 0:374057 t=1677830904[0] r=[0,64,15,42,1] sl=[45,64,64,528]
                        

                        There are a lot of probes on my remote access servers:

                        Mar 3 01:52:35	openvpn	48841	186.211.1.7:61008 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 3 01:52:35	openvpn	48841	186.211.1.7:61008 Connection reset, restarting [0]
                        Mar 3 01:52:35	openvpn	48841	186.211.1.7:61008 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 3 01:52:33	openvpn	48841	TCP connection established with [AF_INET]186.211.1.7:61008
                        Mar 3 01:52:33	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 01:52:33	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 3 01:52:33	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 01:52:33	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 3 01:20:11	openvpn	48841	107.170.239.12:51002 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 3 01:20:11	openvpn	48841	107.170.239.12:51002 Connection reset, restarting [0]
                        Mar 3 01:20:11	openvpn	48841	107.170.239.12:51002 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 3 01:20:10	openvpn	48841	TCP connection established with [AF_INET]107.170.239.12:51002
                        Mar 3 01:20:10	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 01:20:10	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 3 01:20:10	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 01:20:10	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 3 00:20:48	openvpn	48841	91.193.7.84:60742 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 3 00:20:48	openvpn	48841	91.193.7.84:60742 Connection reset, restarting [0]
                        Mar 3 00:20:48	openvpn	48841	91.193.7.84:60742 WARNING: Bad encapsulated packet length from peer (39642), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 3 00:20:48	openvpn	48841	TCP connection established with [AF_INET]91.193.7.84:60742
                        Mar 3 00:20:48	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 00:20:48	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 3 00:20:48	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 00:20:48	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 2 23:52:48	openvpn	48841	193.106.29.122:61864 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:52:48	openvpn	48841	193.106.29.122:61864 Connection reset, restarting [0]
                        Mar 2 23:52:48	openvpn	48841	193.106.29.122:61864 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:52:46	openvpn	48841	TCP connection established with [AF_INET]193.106.29.122:61864
                        Mar 2 23:52:46	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:52:46	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:52:46	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:52:46	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 2 23:47:37	openvpn	48841	198.199.95.35:47508 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:47:37	openvpn	48841	198.199.95.35:47508 Connection reset, restarting [0]
                        Mar 2 23:47:37	openvpn	48841	198.199.95.35:47508 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:47:37	openvpn	48841	TCP connection established with [AF_INET]198.199.95.35:47508
                        Mar 2 23:47:37	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:47:37	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:47:37	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:47:37	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:47:33	openvpn	48841	107.170.229.7:57352 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:47:33	openvpn	48841	107.170.229.7:57352 Connection reset, restarting [0]
                        Mar 2 23:47:33	openvpn	48841	107.170.229.7:57352 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:47:33	openvpn	48841	TCP connection established with [AF_INET]107.170.229.7:57352
                        ----------
                        Mar 2 23:37:30	openvpn	73327	TLS Error: tls-crypt unwrapping failed from [AF_INET]205.210.31.13:56419
                        Mar 2 23:37:30	openvpn	73327	tls-crypt unwrap error: packet too short
                        ----------
                        Mar 2 23:37:09	openvpn	48841	185.180.143.6:48848 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:37:09	openvpn	48841	185.180.143.6:48848 Connection reset, restarting [0]
                        Mar 2 23:37:09	openvpn	48841	185.180.143.6:48848 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:37:09	openvpn	48841	TCP connection established with [AF_INET]185.180.143.6:48848
                        Mar 2 23:37:09	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:37:09	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:37:09	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:37:09	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 2 23:30:44	openvpn	48841	128.14.141.34:57556 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:30:44	openvpn	48841	128.14.141.34:57556 Connection reset, restarting [0]
                        Mar 2 23:30:44	openvpn	48841	128.14.141.34:57556 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:30:44	openvpn	48841	TCP connection established with [AF_INET]128.14.141.34:57556
                        Mar 2 23:30:44	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:30:44	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:30:44	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:30:44	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        ----------
                        Mar 2 23:09:07	openvpn	48841	5.188.210.227:39461 SIGUSR1[soft,connection-reset] received, client-instance restarting
                        Mar 2 23:09:07	openvpn	48841	5.188.210.227:39461 Connection reset, restarting [0]
                        Mar 2 23:09:07	openvpn	48841	5.188.210.227:39461 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
                        Mar 2 23:09:03	openvpn	48841	TCP connection established with [AF_INET]5.188.210.227:39461
                        Mar 2 23:09:03	openvpn	48841	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:09:03	openvpn	48841	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 2 23:09:03	openvpn	48841	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 2 23:09:03	openvpn	48841	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        

                        I have a remote access server on port 443, and it looks like it is taking a bit of fire. Anything special I should be doing to protect it? (Currently protected by a TLS key + strong cert + password) Unless there is a CVE on OpenVPN I would assume that I should be OK (DDoS is the worst case) I shouldn't really be a target, so I suspect that these are just automated attacks.

                        Is that OpenVPN client connecting to the same remote address every time or a pool or remote addresses?

                        It's probably trying to connect to something that isn't an OpenVPN server. It's a TCP connection, what's the remote port?

                        I didn't realize, but it turns out they are one of my remote access servers. It doesn't relate to the incident, but I'm sure it has happened many times:

                        Mar 3 03:57:16	openvpn	90372	MANAGEMENT: Client disconnected
                        Mar 3 03:57:16	openvpn	90372	MANAGEMENT: CMD 'quit'
                        Mar 3 03:57:16	openvpn	90372	MANAGEMENT: CMD 'status 2'
                        Mar 3 03:57:16	openvpn	90372	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                        Mar 3 03:56:40	openvpn	90372	Initialization Sequence Completed
                        Mar 3 03:56:40	openvpn	90372	IFCONFIG POOL IPv4: base=172.16.71.2 size=252
                        Mar 3 03:56:40	openvpn	90372	MULTI: multi_init called, r=256 v=256
                        Mar 3 03:56:40	openvpn	90372	UDPv4 link remote: [AF_UNSPEC]
                        Mar 3 03:56:40	openvpn	90372	UDPv4 link local (bound): [AF_INET]99.ZZZ.ZZZ.182:1194
                        Mar 3 03:56:40	openvpn	90372	Socket Buffers: R=[42080->42080] S=[57344->57344]
                        Mar 3 03:56:40	openvpn	90372	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
                        Mar 3 03:56:40	openvpn	90372	/usr/local/sbin/ovpn-linkup ovpns3 1500 1622 172.16.71.1 255.255.255.0 init
                        Mar 3 03:56:40	openvpn	90372	/sbin/route add -net 172.16.71.0 172.16.71.2 255.255.255.0
                        Mar 3 03:56:40	openvpn	90372	/sbin/ifconfig ovpns3 172.16.71.1 172.16.71.2 mtu 1500 netmask 255.255.255.0 up
                        Mar 3 03:56:40	openvpn	90372	do_ifconfig, ipv4=1, ipv6=0
                        Mar 3 03:56:40	openvpn	90372	TUN/TAP device /dev/tun3 opened
                        Mar 3 03:56:40	openvpn	90372	TUN/TAP device ovpns3 exists previously, keep at program end
                        Mar 3 03:56:40	openvpn	90372	TLS-Auth MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
                        Mar 3 03:56:40	openvpn	90372	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 03:56:40	openvpn	90372	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 3 03:56:40	openvpn	90372	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                        Mar 3 03:56:40	openvpn	90372	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                        Mar 3 03:56:40	openvpn	90372	WARNING: experimental option --capath /var/etc/openvpn/server3/ca
                        Mar 3 03:56:40	openvpn	90372	Diffie-Hellman initialized with 2048 bit key
                        Mar 3 03:56:40	openvpn	90372	PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so] [/usr/local/sbin/ovpn_auth_verify_async] [user] [TG9jYWwgRGF0YWJhc2U=] [true] [server3] [1194]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
                        Mar 3 03:56:40	openvpn	90372	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                        Mar 3 03:56:40	openvpn	90372	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3/sock
                        Mar 3 03:56:40	openvpn	90032	library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
                        Mar 3 03:56:40	openvpn	90032	OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
                        Mar 3 03:56:40	openvpn	90032	auth_user_pass_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	pull = DISABLED
                        Mar 3 03:56:40	openvpn	90032	client = DISABLED
                        Mar 3 03:56:40	openvpn	90032	vlan_pvid = 1
                        Mar 3 03:56:40	openvpn	90032	vlan_accept = all
                        Mar 3 03:56:40	openvpn	90032	vlan_tagging = DISABLED
                        Mar 3 03:56:40	openvpn	90032	port_share_port = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	port_share_host = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	auth_token_secret_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	auth_token_lifetime = 0
                        Mar 3 03:56:40	openvpn	90032	auth_token_generate = DISABLED
                        Mar 3 03:56:40	openvpn	90032	auth_user_pass_verify_script_via_file = DISABLED
                        Mar 3 03:56:40	openvpn	90032	auth_user_pass_verify_script = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	max_routes_per_client = 256
                        Mar 3 03:56:40	openvpn	90032	max_clients = 4
                        Mar 3 03:56:40	openvpn	90032	cf_per = 0
                        Mar 3 03:56:40	openvpn	90032	cf_max = 0
                        Mar 3 03:56:40	openvpn	90032	duplicate_cn = DISABLED
                        Mar 3 03:56:40	openvpn	90032	enable_c2c = ENABLED
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_ipv6_remote = ::
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_ipv6_local = ::/0
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_ipv6_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_remote_netmask = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_local = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	push_ifconfig_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	tmp_dir = '/tmp'
                        Mar 3 03:56:40	openvpn	90032	ccd_exclusive = DISABLED
                        Mar 3 03:56:40	openvpn	90032	client_config_dir = '/var/etc/openvpn/server3/csc'
                        Mar 3 03:56:40	openvpn	90032	client_disconnect_script = '/usr/local/sbin/openvpn.attributes.sh'
                        Mar 3 03:56:40	openvpn	90032	learn_address_script = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	client_connect_script = '/usr/local/sbin/openvpn.attributes.sh'
                        Mar 3 03:56:40	openvpn	90032	virtual_hash_size = 256
                        Mar 3 03:56:40	openvpn	90032	real_hash_size = 256
                        Mar 3 03:56:40	openvpn	90032	tcp_queue_limit = 64
                        Mar 3 03:56:40	openvpn	90032	n_bcast_buf = 256
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_pool_netbits = 0
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_pool_base = ::
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_pool_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_persist_refresh_freq = 600
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_persist_filename = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_netmask = 255.255.255.0
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_end = 172.16.71.253
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_start = 172.16.71.2
                        Mar 3 03:56:40	openvpn	90032	ifconfig_pool_defined = ENABLED
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'ping-restart 60'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'ping 10'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'topology subnet'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'route-gateway 172.16.71.1'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'redirect-gateway def1'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'dhcp-option NTP 172.16.71.1'
                        Mar 3 03:56:40	openvpn	90032	push_entry = 'dhcp-option DNS 172.16.71.1'
                        Mar 3 03:56:40	openvpn	90032	server_bridge_pool_end = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	server_bridge_pool_start = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	server_bridge_netmask = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	server_bridge_ip = 0.0.0.0
                        Mar 3 03:56:40	openvpn	90032	server_netbits_ipv6 = 0
                        Mar 3 03:56:40	openvpn	90032	server_network_ipv6 = ::
                        Mar 3 03:56:40	openvpn	90032	server_netmask = 255.255.255.0
                        Mar 3 03:56:40	openvpn	90032	server_network = 172.16.71.0
                        Mar 3 03:56:40	openvpn	90032	tls_crypt_v2_metadata = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	tls_exit = DISABLED
                        Mar 3 03:56:40	openvpn	90032	push_peer_info = DISABLED
                        Mar 3 03:56:40	openvpn	90032	single_session = DISABLED
                        Mar 3 03:56:40	openvpn	90032	transition_window = 3600
                        Mar 3 03:56:40	openvpn	90032	handshake_window = 60
                        Mar 3 03:56:40	openvpn	90032	renegotiate_seconds = 0
                        Mar 3 03:56:40	openvpn	90032	renegotiate_packets = 0
                        Mar 3 03:56:40	openvpn	90032	renegotiate_bytes = -1
                        Mar 3 03:56:40	openvpn	90032	tls_timeout = 2
                        Mar 3 03:56:40	openvpn	90032	ssl_flags = 4
                        Mar 3 03:56:40	openvpn	90032	remote_cert_eku = 'TLS Web Client Authentication'
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 0
                        Mar 3 03:56:40	openvpn	90032	remote_cert_ku[i] = 224
                        Mar 3 03:56:40	openvpn	90032	ns_cert_type = 0
                        Mar 3 03:56:40	openvpn	90032	crl_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	verify_x509_name = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	verify_x509_type = 0
                        Mar 3 03:56:40	openvpn	90032	tls_export_cert = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	tls_verify = '/usr/local/sbin/ovpn_auth_verify tls 'REMOTEACCESS1' 2'
                        Mar 3 03:56:40	openvpn	90032	tls_cert_profile = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	cipher_list_tls13 = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	cipher_list = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	pkcs12_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	priv_key_file = '/var/etc/openvpn/server3/key'
                        Mar 3 03:56:40	openvpn	90032	extra_certs_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	cert_file = '/var/etc/openvpn/server3/cert'
                        Mar 3 03:56:40	openvpn	90032	dh_file = '/etc/dh-parameters.2048'
                        Mar 3 03:56:40	openvpn	90032	ca_path = '/var/etc/openvpn/server3/ca'
                        Mar 3 03:56:40	openvpn	90032	ca_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	tls_client = DISABLED
                        Mar 3 03:56:40	openvpn	90032	tls_server = ENABLED
                        Mar 3 03:56:40	openvpn	90032	test_crypto = DISABLED
                        Mar 3 03:56:40	openvpn	90032	packet_id_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	replay_time = 15
                        Mar 3 03:56:40	openvpn	90032	replay_window = 64
                        Mar 3 03:56:40	openvpn	90032	mute_replay_warnings = DISABLED
                        Mar 3 03:56:40	openvpn	90032	replay = ENABLED
                        Mar 3 03:56:40	openvpn	90032	engine = DISABLED
                        Mar 3 03:56:40	openvpn	90032	keysize = 0
                        Mar 3 03:56:40	openvpn	90032	prng_nonce_secret_len = 16
                        Mar 3 03:56:40	openvpn	90032	prng_hash = 'SHA1'
                        Mar 3 03:56:40	openvpn	90032	authname = 'SHA512'
                        Mar 3 03:56:40	openvpn	90032	ncp_ciphers = 'AES-256-GCM'
                        Mar 3 03:56:40	openvpn	90032	ncp_enabled = ENABLED
                        Mar 3 03:56:40	openvpn	90032	ciphername = 'AES-256-GCM'
                        Mar 3 03:56:40	openvpn	90032	key_direction = not set
                        Mar 3 03:56:40	openvpn	90032	shared_secret_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	plugin[0] /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so] [/usr/local/sbin/ovpn_auth_verify_async] [user] [TG9jYWwgRGF0YWJhc2U=] [true] [server3] [1194]'
                        Mar 3 03:56:40	openvpn	90032	management_flags = 256
                        Mar 3 03:56:40	openvpn	90032	management_client_group = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	management_client_user = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	management_write_peer_info_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	management_echo_buffer_size = 100
                        Mar 3 03:56:40	openvpn	90032	management_log_history_cache = 250
                        Mar 3 03:56:40	openvpn	90032	management_user_pass = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	management_port = 'unix'
                        Mar 3 03:56:40	openvpn	90032	management_addr = '/var/etc/openvpn/server3/sock'
                        Mar 3 03:56:40	openvpn	90032	allow_pull_fqdn = DISABLED
                        Mar 3 03:56:40	openvpn	90032	route_gateway_via_dhcp = DISABLED
                        Mar 3 03:56:40	openvpn	90032	route_nopull = DISABLED
                        Mar 3 03:56:40	openvpn	90032	route_delay_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	route_delay_window = 30
                        Mar 3 03:56:40	openvpn	90032	route_delay = 0
                        Mar 3 03:56:40	openvpn	90032	route_noexec = DISABLED
                        Mar 3 03:56:40	openvpn	90032	route_default_metric = 0
                        Mar 3 03:56:40	openvpn	90032	route_default_gateway = '172.16.71.2'
                        Mar 3 03:56:40	openvpn	90032	route_script = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	comp.flags = 1
                        Mar 3 03:56:40	openvpn	90032	comp.alg = 2
                        Mar 3 03:56:40	openvpn	90032	fast_io = DISABLED
                        Mar 3 03:56:40	openvpn	90032	sockflags = 0
                        Mar 3 03:56:40	openvpn	90032	sndbuf = 0
                        Mar 3 03:56:40	openvpn	90032	rcvbuf = 0
                        Mar 3 03:56:40	openvpn	90032	occ = ENABLED
                        Mar 3 03:56:40	openvpn	90032	status_file_update_freq = 60
                        Mar 3 03:56:40	openvpn	90032	status_file_version = 1
                        Mar 3 03:56:40	openvpn	90032	status_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	gremlin = 0
                        Mar 3 03:56:40	openvpn	90032	mute = 0
                        Mar 3 03:56:40	openvpn	90032	verbosity = 4
                        Mar 3 03:56:40	openvpn	90032	nice = 0
                        Mar 3 03:56:40	openvpn	90032	machine_readable_output = DISABLED
                        Mar 3 03:56:40	openvpn	90032	suppress_timestamps = DISABLED
                        Mar 3 03:56:40	openvpn	90032	log = DISABLED
                        Mar 3 03:56:40	openvpn	90032	inetd = 0
                        Mar 3 03:56:40	openvpn	90032	daemon = ENABLED
                        Mar 3 03:56:40	openvpn	90032	up_delay = DISABLED
                        Mar 3 03:56:40	openvpn	90032	up_restart = DISABLED
                        Mar 3 03:56:40	openvpn	90032	down_pre = DISABLED
                        Mar 3 03:56:40	openvpn	90032	down_script = '/usr/local/sbin/ovpn-linkdown'
                        Mar 3 03:56:40	openvpn	90032	up_script = '/usr/local/sbin/ovpn-linkup'
                        Mar 3 03:56:40	openvpn	90032	writepid = '/var/run/openvpn_server3.pid'
                        Mar 3 03:56:40	openvpn	90032	cd_dir = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	chroot_dir = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	groupname = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	username = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	resolve_in_advance = DISABLED
                        Mar 3 03:56:40	openvpn	90032	resolve_retry_seconds = 1000000000
                        Mar 3 03:56:40	openvpn	90032	passtos = DISABLED
                        Mar 3 03:56:40	openvpn	90032	persist_key = ENABLED
                        Mar 3 03:56:40	openvpn	90032	persist_remote_ip = ENABLED
                        Mar 3 03:56:40	openvpn	90032	persist_local_ip = DISABLED
                        Mar 3 03:56:40	openvpn	90032	persist_tun = ENABLED
                        Mar 3 03:56:40	openvpn	90032	remap_sigusr1 = 0
                        Mar 3 03:56:40	openvpn	90032	ping_timer_remote = ENABLED
                        Mar 3 03:56:40	openvpn	90032	ping_rec_timeout_action = 2
                        Mar 3 03:56:40	openvpn	90032	ping_rec_timeout = 120
                        Mar 3 03:56:40	openvpn	90032	ping_send_timeout = 10
                        Mar 3 03:56:40	openvpn	90032	inactivity_timeout = 0
                        Mar 3 03:56:40	openvpn	90032	keepalive_timeout = 60
                        Mar 3 03:56:40	openvpn	90032	keepalive_ping = 10
                        Mar 3 03:56:40	openvpn	90032	mlock = DISABLED
                        Mar 3 03:56:40	openvpn	90032	mtu_test = 0
                        Mar 3 03:56:40	openvpn	90032	shaper = 0
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_remote = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_netbits = 0
                        Mar 3 03:56:40	openvpn	90032	ifconfig_ipv6_local = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	ifconfig_nowarn = DISABLED
                        Mar 3 03:56:40	openvpn	90032	ifconfig_noexec = DISABLED
                        Mar 3 03:56:40	openvpn	90032	ifconfig_remote_netmask = '255.255.255.0'
                        Mar 3 03:56:40	openvpn	90032	ifconfig_local = '172.16.71.1'
                        Mar 3 03:56:40	openvpn	90032	topology = 3
                        Mar 3 03:56:40	openvpn	90032	lladdr = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	dev_node = '/dev/tun3'
                        Mar 3 03:56:40	openvpn	90032	dev_type = 'tun'
                        Mar 3 03:56:40	openvpn	90032	dev = 'ovpns3'
                        Mar 3 03:56:40	openvpn	90032	ipchange = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	remote_random = DISABLED
                        Mar 3 03:56:40	openvpn	90032	Connection profiles END
                        Mar 3 03:56:40	openvpn	90032	tls_crypt_v2_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	tls_crypt_file = '[INLINE]'
                        Mar 3 03:56:40	openvpn	90032	key_direction = not set
                        Mar 3 03:56:40	openvpn	90032	tls_auth_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	explicit_exit_notification = 0
                        Mar 3 03:56:40	openvpn	90032	mssfix = 1450
                        Mar 3 03:56:40	openvpn	90032	fragment = 0
                        Mar 3 03:56:40	openvpn	90032	mtu_discover_type = -1
                        Mar 3 03:56:40	openvpn	90032	tun_mtu_extra_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	tun_mtu_extra = 0
                        Mar 3 03:56:40	openvpn	90032	link_mtu_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	link_mtu = 1500
                        Mar 3 03:56:40	openvpn	90032	tun_mtu_defined = ENABLED
                        Mar 3 03:56:40	openvpn	90032	tun_mtu = 1500
                        Mar 3 03:56:40	openvpn	90032	socks_proxy_port = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	socks_proxy_server = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	connect_timeout = 120
                        Mar 3 03:56:40	openvpn	90032	connect_retry_seconds = 5
                        Mar 3 03:56:40	openvpn	90032	bind_ipv6_only = DISABLED
                        Mar 3 03:56:40	openvpn	90032	bind_local = ENABLED
                        Mar 3 03:56:40	openvpn	90032	bind_defined = DISABLED
                        Mar 3 03:56:40	openvpn	90032	remote_float = ENABLED
                        Mar 3 03:56:40	openvpn	90032	remote_port = '1194'
                        Mar 3 03:56:40	openvpn	90032	remote = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	local_port = '1194'
                        Mar 3 03:56:40	openvpn	90032	local = '99.ZZZ.ZZZ.182'
                        Mar 3 03:56:40	openvpn	90032	proto = udp4
                        Mar 3 03:56:40	openvpn	90032	Connection profiles [0]:
                        Mar 3 03:56:40	openvpn	90032	connect_retry_max = 0
                        Mar 3 03:56:40	openvpn	90032	show_tls_ciphers = DISABLED
                        Mar 3 03:56:40	openvpn	90032	key_pass_file = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	genkey_filename = '[UNDEF]'
                        Mar 3 03:56:40	openvpn	90032	genkey = DISABLED
                        Mar 3 03:56:40	openvpn	90032	show_engines = DISABLED
                        Mar 3 03:56:40	openvpn	90032	show_digests = DISABLED
                        Mar 3 03:56:40	openvpn	90032	show_ciphers = DISABLED
                        Mar 3 03:56:40	openvpn	90032	mode = 1
                        Mar 3 03:56:40	openvpn	90032	config = '/var/etc/openvpn/server3/config.ovpn'
                        Mar 3 03:56:40	openvpn	90032	Current Parameter Settings:
                        Mar 3 03:56:40	openvpn	90032	WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
                        Mar 3 03:56:40	openvpn	73327	SIGTERM[hard,] received, process exiting
                        Mar 3 03:56:40	openvpn	73327	PLUGIN_CLOSE: /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so
                        Mar 3 03:56:40	openvpn	73327	/usr/local/sbin/ovpn-linkdown ovpns3 1500 1622 172.16.71.1 255.255.255.0 init
                        Mar 3 03:56:40	openvpn	73327	Closing TUN/TAP interface
                        Mar 3 03:56:40	openvpn	73327	event_wait : Interrupted system call (code=4)
                        

                        Unless the remote server issues are causing the VPN client to crash these are a red herring.

                        Any thoughts?

                        If you find my post useful, please give it a thumbs up!
                        pfSense 2.8.0-RELEASE

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott @guardian
                          last edited by

                          @guardian said in pfSense 2.6.0 Fails to Recover after WAN Issues:

                          BTW what speed service/modem do you have. I have GB/Hitron CPDA-4582U.

                          I have a Technicolor CGM4140COM in bridge mode. I pay for 500/30, but get over 900 Mb down and 32 up.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Online
                            stephenw10 Netgate Administrator
                            last edited by

                            Yeah having servers and clients makes things confusing. A server running on TCP port 443 is going to see those packet size errors because https connection attempts if it's open to any external IP.

                            We probably need to see the OpenVPN logs from the client then. Ideally at the point it tries to connect but fails to pass traffic.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.